Bug#542158: amd64: double free or corruption on Unchecked_Deallocation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#542158: amd64: double free or corruption on Unchecked_Deallocation
From: Reto Buerki <reet@codelabs.ch>
Date: Tue, 18 Aug 2009 09:22:20 +0200
Message-id: <20090818072220.5847.12238.reportbug@thunderbird.codelabs.local>
Reply-to: Reto Buerki <reet@codelabs.ch>, 542158@bugs.debian.org

Package: gnat-4.4
Version: 4.4.1-1
Severity: normal

There is a problem with Unchecked_Deallocation on amd64 when freeing
memory of an extended type object which defines an Unbounded_String
field (and possibly other fields). The following code reproduces the
problem:

   ---

with Ada.Strings.Unbounded;

use Ada.Strings.Unbounded;

package Double_Free is

   type Test_Base is tagged null record;

   type Test_Class_Access is access all Test_Base'Class;

   type Test_Extension is new Test_Base with record
      Last_Name : Unbounded_String := Null_Unbounded_String;
   end record;

end Double_Free;

   ---

with Ada.Unchecked_Deallocation;

with Double_Free; use Double_Free;

procedure Main is
   procedure Free is new Ada.Unchecked_Deallocation
     (Object => Test_Base'Class,
      Name   => Test_Class_Access);

   Handle : Test_Class_Access := new Test_Extension;
begin
   Free (Handle);
end Main;

   ---

Executing the 'main' binary produced by gnat-4.4 leads to *** glibc
detected *** obj/main: double free or corruption errors. Valgrind trace:

valgrind --leak-check=full --show-reachable=yes --leak-resolution=high
../obj/main

==5772== Memcheck, a memory error detector.
==5772== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==5772== Using LibVEX rev 1884, a library for dynamic binary translation.
==5772== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==5772== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==5772== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==5772== For more details, rerun with: -v
==5772==
==5772== Invalid free() / delete / delete[]
==5772==    at 0x4C2261F: free (vg_replace_malloc.c:323)
==5772==    by 0x50A8D84: __gnat_free (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403FC4: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==  Address 0x5b3b040 is 16 bytes inside a block of size 136 alloc'd
==5772==    at 0x4C2391E: malloc (vg_replace_malloc.c:207)
==5772==    by 0x50A8DC7: __gnat_malloc (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403EF0: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==
==5772== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==5772== malloc/free: in use at exit: 136 bytes in 1 blocks.
==5772== malloc/free: 1 allocs, 1 frees, 136 bytes allocated.
==5772== For counts of detected errors, rerun with: -v
==5772== searching for pointers to 1 not-freed blocks.
==5772== checked 203,328 bytes.
==5772==
==5772==
==5772== 136 bytes in 1 blocks are definitely lost in loss record 1 of 1
==5772==    at 0x4C2391E: malloc (vg_replace_malloc.c:207)
==5772==    by 0x50A8DC7: __gnat_malloc (in /usr/lib/libgnat-4.4.so.1)
==5772==    by 0x403EF0: _ada_main (in /home/reet/double-free/obj/main)
==5772==    by 0x40327B: main (in /home/reet/double-free/obj/main)
==5772==
==5772== LEAK SUMMARY:
==5772==    definitely lost: 136 bytes in 1 blocks.
==5772==      possibly lost: 0 bytes in 0 blocks.
==5772==    still reachable: 0 bytes in 0 blocks.
==5772==         suppressed: 0 bytes in 0 blocks.

Freeing memory of a base type object (Test_Base) works without problems.
When the unbounded string field (Name) is removed or replaced (e.g. by
an Integer), freeing also works for the type extension.

The code has been tested with the following compiler / arch
combinations:

i386/gnat-4.3  : works
i386/gnat-4.4  : works
amd64/gnat-4.3 : works

amd64/gnat-4.4 : FAILS


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnat-4.4 depends on:
ii  gcc-4.4                   4.4.1-1        The GNU C compiler
ii  gnat-4.4-base             4.4.1-1        The GNU Compiler Collection (gnat 
ii  libc6                     2.9-24         GNU C Library: Shared libraries
ii  libc6-dev                 2.9-24         GNU C Library: Development Librari
ii  libcloog-ppl0             0.15-2         the Chunky Loop Generator (runtime
ii  libgcc1                   1:4.4.1-1      GCC support library
ii  libgmp3c2                 2:4.3.1+dfsg-3 Multiprecision arithmetic library
ii  libgmpxx4ldbl             2:4.3.1+dfsg-3 Multiprecision arithmetic library 
ii  libgnat-4.4               4.4.1-1        Runtime library for GNU Ada applic
ii  libgnatprj4.4             4.4.1-1        GNU Ada Project Manager
ii  libgnatvsn4.4             4.4.1-1        GNU Ada compiler version library
ii  libmpfr1ldbl              2.4.1-2        multiple precision floating-point 
ii  libppl-c2                 0.10.2-2       Parma Polyhedra Library (C interfa
ii  libppl7                   0.10.2-2       Parma Polyhedra Library (runtime l

gnat-4.4 recommends no packages.

Versions of packages gnat-4.4 suggests:
pn  ada-reference-manual          <none>     (no description available)
pn  gnat-4.4-doc                  <none>     (no description available)

-- no debconf information

Reply to:

Prev by Date: Results for 4.4.1 (Debian 4.4.1-2) testsuite on sparc-unknown-linux-gnu
Next by Date: Processed: Re: Bug#541842: libcloog-ppl-dev: Missing development headers
Previous by thread: Results for 4.4.1 (Debian 4.4.1-2) testsuite on sparc-unknown-linux-gnu
Next by thread: Processed: #542158 is grave
Index(es):
- Date
- Thread